An interesting additional bit of information - a claim that the researcher
reverse-engineered the patches?
---------- Forwarded message ----------
Date: Fri, 03 Feb 2006 18:59:50 -0600
From: David M. Graham
To: cve at mitre.org
Subject: RE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0478
Your CVE-2006-0478 entry is largely correct.
The potential for this exploit was recognized by us approximately a
month ago, and we immediately developed a patch.
The initial announcement of this risk was made on our website at
http://creloaded.com , and it included a patch which will close the
vulnerability on all
known 6.0x and 6.1x releases. Subsequently, announcements were made to
several security organizations by an individual who included links to a
freely available script written to take advantage of the previously
publicized issue on unpatched releases.
Despite multiple notifications to registered users, distribution of the
patch remained low and this remains a serious threat. We strongly
encourage users of CRE Loaded 6.x , osCMax, and other users of
osCommerce who have installed HTMLArea based WYSIWYG editors and Admin
Access with Levels to modify thier installations at the earliest
possible moment.
Regards,
David M. Graham,
CRE Loaded Project Manager
Chain Reaction Works, Inc.